By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

With more than two-thirds of all purchases made with payment cards and $20tn in credit card transactions expected in 2015, security has become a top priority for organisations that accept credit cards.

Low compliance in data breach firms

“The report is an important document that should serve as a wake-up call for every business that cares about payment security,” said Stephen Orfei, general manager of the PCI Security Standards Council (PCI SSC).

He said that, although there is progress in many key areas in protecting payment card data, the report shows there remains a long way to go.

“Cyber attacks are on the rise, and too many companies do not make payment security an all-day, every-day priority,” said Orfei.

Verizon’s cyber security research has consistently found that, since 2009, organisations suffering a data breach showed lower-than-normal compliance with a number of PCI DSS controls.

Loss of customer trust

“This report reinforces what the PCI Security Standards Council has been promoting for years – payment security must be a top higher priority for the business community.” said Orfei.

According to Verizon, companies can better manage their brand, ensure consumer trust and avoid hefty fees by reducing the likelihood of a breach.

One of the biggest negative effects of data breaches is the loss of customer trust; studies show 69% of consumers are less inclined to do business with an organisation that has been breached.

“Compliance at a point in time isn’t sufficient to protect data because today’s cyber security landscape is constantly changing,” said Rodolphe Simonetti, managing director, professional services for Verizon Enterprise Solutions.

“Putting the focus on making compliance sustainable is key. It must be a part of day-to-day activities in an organisation’s greater security strategy,” he said.

Three key areas of concern

The report shows organisations commonly fall out of compliance in three key areas:

Testing security systems regularly;

Maintaining secure systems;

Protecting stored data.

“Often an organisation’s approach to PCI security is to focus on passing the annual compliance assessment. But this is just the start of a vigilant, proactive security program. Only a combination of people, process and technology, and a focus on making security a ‘business-as-usual’ practice, will help thwart these constant threats,” said Orfei.

Of all the data breaches studied, Verizon’s findings show that not a single company was fully PCI DSS compliant at the time of the breach.

“Another troubling trend from this year’s report is that data security is still inadequate," said Simonetti.

“The volume and scale of data breaches in the past 12 months is proof that current security techniques are not stopping attackers – in many cases they aren’t even slowing them down.”

Risk-management strategy

According to Simonetti, PCI DSS compliance must be viewed as part of a comprehensive information security and risk-management strategy.

“A PCI DSS assessment can uncover important security gaps that should be fixed, but it is not a guarantee that the data is safe from a cyber attack,” he said.

This year’s report covers three years of data from PCI assessments, conducted by Verizon’s team of PCI Qualified Security Assessors for large multinational firms in more than 30 countries.

How companies fall out of PCI DSS compliance

The 2015 report includes details of how and where companies fall out of compliance once achieved, and recommendations on how to make compliance easier and how to remain compliant.

“2015 is a pivotal year for payment card security as the US transitions to EMV Chip technology, and this report hopefully will bring attention to the many critical issues that companies need to consider during this important time,” said Orfei.

“There is no silver bullet to security or preventing breaches. But by establishing a multi-layered approach that includes vigilance in monitoring and managing access, proactively strengthening security at the point-of-sale, and actively preparing to meet new threats, businesses can significantly reduce the types of risks that have enabled recent breaches.”

To help educate organisations struggling with implementing and maintaining proper security measures to detect and mitigate malware attacks, the PCI SSC is to host a webinar on how to defend against Backoff malware aimed at point of sale systems.

The webinar will be held in collaboration with the Visa Payment System Cyber Intelligence Team on 26 March 2015 at 1700 GMT

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy